Menu

What's Your Approach to Building SIEM Use Cases?

Goal/Why?

This article will describe models and processes to deal with two existing components of the SIEM Use case problem.

Prevent organizations from building ineffective uses cases with low value in their SIEM.

(trying to) Answer or solve the philosophical question: "Which SIEM use cases has most value/effect for the organization?"

To make it all work in a pragmatic and effective way, the goal is to create two end products.

1. Create a "SIEM Use Case Roadmap".
2. Periodicly prioritize and review the "SIEM Use Case Roadmap" based on the following two points:
A. An approach which directs the organization on the "right" SIEM use cases road.
B. Input from different stakeholders and the chosen approach.

Use Case Meta Levels

Use cases should be risk-driven, this model gives insight into the relation between use case concepts used in this article.

Use Case building methods

These are tactical model to determine your use case roadmap.

Use case priority per general domain

This is a generic model used by most practical SIEM specialists to start doing use cases.

HP Activate Framework - Data fusion model

The HP Activate Framework has two parts: the Data fusion model and the HP Attacker Lifecycle. It starts with the data fusion model to build the foundation and continues on to the HP Attacker lifecycle for more advanced use cases.
See HP Protect 2014 presentation: TB3267 - ArcSight Activate Framework - Petropoulos

HP Activate Framework - Attacker lifecycle

This model can be used stand-alone or together with the activate framework. See HP Protect 2014 presentation: TB3267 - ArcSight Activate Framework - Petropoulos
The HP Attacker Lifecycle (based on Lockheed martin's kill chain) Methodology for building use cases is found here: http://www8.hp.com/h20195/v2/GetDocument.aspx?docname=4AA4-9490ENW

There are many other approaches named in risk strategy model, I guess it's all relative which one is better.

Data Feed Roadmaps

It's a misconception to just connect EVERYTHING and log EVERYTHING to your SIEM. This is appropriate for a big data log management solution but not for a SIEM. A SIEM is use case-driven not input-driven. Data Feeds should be prioritized by the following two criteria:

Amount of added value.

Is it helpful to the Operation?

Are there any uses cases for this log source?

Effort to collect them.

Does it need a customer parser?

Does the log source need a lot of maintenance?

Data feed roadmap

Here is a general data feed roadmap for your SIEM and log management environment. Based on the following HP Protect 2014 presentation:
TT3052 - HP ArcSight Data makes the difference - Mitchell Webb John Rouffas